SafeGuard Cyber discovered a sample of the Echelon Malware targeting crypto wallets and user accounts credentials. The researchers detected the malware on a cryptocurrency discussion channel, Telegram.
“Based on the malware and the manner in which it was posted, we believe that is was not part of a coordinated campaign and was simply targeting new or naive users of the channel. The sample of Echelon that we analyzed targets credentials, crypto wallets, and has some fingerprinting capabilities,” SafeGuard said.
The Incident
Researchers at SafeGuard revealed that the attackers exploited the Telegram handle “Smokes Night” to propagate the malware Echelon and steal credentials from user accounts and crypto wallets.
“This was an isolated, one-off incident meant to target new unsuspecting users of the channel. The handle “Smokes Night” was only used once on the channel, and the only post it made was to post Echelon. The post did not appear to be a response to any of the surrounding messages in the channel. We did not see anyone respond to “Smokes Night” or complain about the file, though this does not prove that users of the channel did not get infected,” shared SafeGuard.
Malware Brief
Explaining the malware, the researchers explained that the analysis of the malicious executable actor shows that it contains some anti-analysis features. It has two anti-debugging functions, which immediately terminate the process if a debugger or other malware analysis tools are detected. Additionally, the sample is obfuscated using ConfuserEx v1.0.0.
Also Read: Hackers Steal Cryptocurrency Worth $150 Mn From BitMart Exchange
SafeGuard divulged, “After de-obfuscating the .NET code, we found that the sample performs several crypto wallet and credential-stealing functions, as well as domain detection and computer fingerprinting. The malware will also attempt to take a screenshot of the victim machine.”
Exploited Platforms:
- Discord
- Edge
- FileZilla
- NordVPN
- OpenVPN
- Outlook
- Pidgin
- ProtonVPN
- Psi(Jabber)
- Telegram
- TotalCommander
Aimed Digital Currency Wallets:
- Armory
- AtomicWallet
- BitcoinCore
- ByteCoin
- DashCore
- Electrum
- Exodus
- Ethereum
- Jaxx
- LitecoinCore
- Monero
- Zcash
Threat actors continue to prey on the digital platform and leverage every opportunity to cause disruption and assuage their financial greed. Cryptocurrency is now like a trademark to these attacks. Be it the platform or as a medium of ransom exchange, digital currency is a haven for cybercriminals.
Akshat Jain, CTO of Cyware, opines, “Cryptocurrencies continue to provide a safe haven for cybercriminals and ransomware groups looking to evade being traced. Because these coins are largely anonymous, cybercriminals are heavily relying on these currencies to carry out attacks. As per the data shared earlier this year by the National Cybersecurity Coordinator, India, “by the end of 2021, ransomware is expected to attack a company every 11 seconds and cause damages of up to $20 billion.” The illicit use of cryptocurrency, both to evade sanctions and to obfuscate involvement in criminal activity, will continue to increase in 2022, with ransomware and crypto-jacking being the two most prominent ways that criminals can directly receive cryptocurrency payments from their victims.”
Cryptocurrency exchanges and hot wallets continue to become a primary target for threat actors. Another victim who joined the bandwagon of crypto hacks was the cryptocurrency trading platform BitMart.